Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
aclarke
Posting Yak Master
133 Posts |
 Posted - 2003-08-20 : 16:32:54
|
| Hi. Does the Enterprise Manager encrypt all data, or just the login info (or does it even encrypt that?). I've set up openssh via cygwin on my test database server and am thinking of connecting to my server through that as I pass a lot of sensitive data through the connections. I can forward port 1433 on the server to local port 1433 and then connect to 127.0.0.1 on my local computer and it forwards through to our test server no problem. However, when I do this it makes it sort of confusing to access the local SQL Server which is my development server. Is there a way of connecting to a SQL server on a port other than 1433? Say if I wanted to access my local server at localhost:1433, my test server at localhost:1434 (port forwarded to 1433 on the test server) and the live server at localhost:1535 (port forwarded to 1433 on the live server), how would I do that in Enterprise Manager? Is there a way or am I looking at this problem from the wrong angle?Thanks,- Andrew Clarke. |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-08-20 : 16:36:35
|
| TO change the port that SQL Server listens on, open up Server Network Utility which is found in the Microsoft SQL Server program group. Select your server (Instance), then select TCP/IP, then select Properties. Now select a port. Then restart the MSSQLSERVER service. In order for clients to access SQL Server now, you will need to setup an alias in Client Network Utility.Tara |
 |
|
|
aclarke
Posting Yak Master
133 Posts |
Posted - 2003-08-20 : 17:39:23
|
| Thanks for your response. I tried a few things and discovered at least that it seems you can specify a port using servername,portnumber nomenclature. I was a trying UNIX-style : instead of , and wasn't getting anywhere.I can turn off my local SQL Server, and use SSH to port forward 1433 of my test server to local port 1433. Then if I go to 127.0.0.1, I get the remote test server so I know that part works. I can also go to 127.0.0.1,1433 and that works. However, when I port forward remote port 1433 to local port 1434, it won't work. Interstingly, I even set my local server instance to listen on port 1434 and restarted it, and it STILL appears to be listening on 1433. I can go to localhost,1433 and it gets in, whereas localhost,1434 says SQL Server dos not exist or access denied.Basically I want all my servers to continue to use port 1433, but then use SSH to forward those remote ports to different local ports. Then I can set up aliases for them or whatever, and basically connect to localhost:1500 or something to get to a remote server communicating on 1433.Thanks again,- Andrew. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-08-20 : 17:46:17
|
| I would not recommend using port 1433 even if you are going to use port forwarding. 1433 is the port that the worms use, so you shouldn't use it. 1434 also shouldn't be used, for similar reasons.Tara |
|
|
|
aclarke
Posting Yak Master
133 Posts |
Posted - 2003-08-20 : 18:07:11
|
quote:
Originally posted by tduggan
I would not recommend using port 1433 even if you are going to use port forwarding. 1433 is the port that the worms use, so you shouldn't use it. 1434 also shouldn't be used, for similar reasons.
That's a good point and on my to-do list. When I said I wanted all my servers using port 1433 that shouldn't have been construed as me ACTUALLY wanting them all using port 1433, but rather that getting them running on different ports wasn't the focus of this exercise.  - Andrew. |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2003-08-20 : 19:13:54
|
| SQL Server 2000 supports encryption on all network protocols. SQL 7.0 supports encrypting multiprotocol network connections. If you run the Server Network Utility and Client Network Utility programs you'll be able to set encryption for whichever network library you use, and you can avoid SSH entirely, and use any port you like. |
|
|
|
eyechart
Master Smack Fu Yak Hacker
3575 Posts |
Posted - 2003-08-21 : 00:53:02
|
| From what I have read it appears you have a database with very sensitive data on it. You don't want packets that are traveling back and forth to be sniffed off of the network, so you would like to encrypt all of the communication. Is this correct?My gut feeling is that encryption of the connection will probably lead to terrible performance (just an assumption). Less than optimal performance might be an acceptable trade-off for the extra security encryption provides, I guess it all depends. But I thought that this was a very interesting topic, so I am wondering if their might be another solution to your problem.Here are some options that I could think of:1. Encrypt the entire communication as was suggested (ipsec tunnel, SQL2k SSL encryption, etc.)see this link for some good information:http://support.microsoft.com/servicedesks/webcasts/wc042302/42. Encrypt only the sensitive data inside your database. using a tool such as xp_crypt http://www.activecrypt.com/product.htm3. Isolate your SQL server using routers or by using a SQL firewall to ensure only authorized access to your data (http://www.guardium.com/index2.html)Here is a recent article (August 2003) in sqlmag regarding SQL firewalls http://www.sqlmag.com/Articles/Index.cfm?ArticleID=394404. Use a combination of the above.I am curious if anyone has any experience with using tools like xp_crypt, SSL encryption or IPSEC tunnel, or using a SQL Firewall. Are there other options? Any opinions?-ec |
|
|
|
aclarke
Posting Yak Master
133 Posts |
Posted - 2003-08-22 : 14:53:08
|
| Rob - I'm using SQL Server 7.0 and it wasn't apparent how I could get the encryption working. I've found lots of info on SQL 2000 but not much on 7.0. I think I've found places to begin on this and it looks like a better option if I can get it working.Eyechart, I'm not encrypting all traffic, just the traffic that goes outside the network. For instance, I'm not going to be encrypting traffic between the database server and app server, as they are sitting side by side and nobody's going to be able to sniff that traffic. The most sensitive info in the database is encrypted although it's not very strong encryption (yet, although I'm in the process of using "real" encryption for that too in case a computer is stolen or something). However, I'd like to encrypt between the live and test servers which are co-located, and our development locations as this info travels out over the internet. I'm not terribly worried about the performance hit as I won't be encrypting any "live" traffic so customers' sessions won't be significantly negatively effected.Thanks again for everybody's responses.- Andrew. |
|
|
|
|
|
|
|
|
Enterprise Manager via SSH